Discord Tokens
At the moment, I'd say there's quite a large problem which is "Token Logging" - Usually someone will run a malicious program and their token will be remotely sent to a user.
I think Discord should make it so requests to the Discord API by the Discord Client will only be authorized if it is by the IP that logged in and validated said token, it will stop many of these attempts.
Screw mobile data users, and others with inconsistent ips I guess ¯\_(ツ)_/¯
-3 -
There aren't any token loggers for mobile, so if it's generated by the mobile client it can just ignore the checks.
IPs will usually only change every couple days/when you restart the router if you have a Dynamic IP, then there's people with Static IPs as well.
-3 -
you know they can make it look like it's coming from the mobile client and there will never be a true fix or a way to protect the token so yeah
1 -
If its created by mobile, not accessed.
-2 -
it would have to be accessed by mobile it seems like you don't know how to discord client works
1 -
What are you on about? I'm just saying if the token was generated on a mobile device, it won't apply for that token.
-3 -
it doesn't generate a token it accesses the token and then stores it
1 -
That isn't how it works.
Whenever you login to discord, a new token is generated for you.Go to discord and open your developer tools, go to application, then go to local storage.
Log out of discord and log back in, you'll see the "token" field change.-3 -
it will still be the same token it doesn't change unless you change your password
1 -
Try it.
-1 -
still the same it's the same token explain to me this how can a user bot work everytime it logs in without generating a new token how would it get the new token if it was regenerated you would have to post the new token each time for the user bot to work but it continues to work with the same token it's basically logging in the same like the client
1 -
They don't work consistently due to what I said.
People have to manually update it all the time.-1 -
also please use some sort of punctuation, it's getting really hard to read.
-2 -
no unless they change their password because I seen people run a user bot without having to change the token once
1 -
"you've seen people"
yes yes, because people definitely say "oh look my token changed! let me update my token in my selfbots configuration!"-1 -
whatever you're not seeing what I'm saying you're just being stupid
1 -
First of all the token is not stored in application local storage, and they keep moving it, I find it in the network tab of chrome or chromium and I find the science tab and I look in the request payload to find my token, you can also find your spotify token too. either way the token does NOT change upon logging out and logging back in, the Token is a derivative of your client_ID and client_Secret and if you have those then you can generate tokens either way its not going to help because for one yes mobile users have inconsistent IP address's and the fact that just marking the token as a mobile user doesnt do much,because you can still mark a token you generated as a mobile one or something
0 -
On the latest PTB build it is located in local storage and the token is regenned when you log in. If someone manually marks their token as mobile, then that's their fault, they shouldn't have done that if they wanted their token to be protected.
-1 -
PENGUIN114 The last I checked users tokens don't regen every log-in, this would be completely pointless so they just don't do that. I feel like your getting mixed up with the way Roblox tokens work.
1 -
maybe my discord is just broken.
anyways having tokens being able to be grabbed and accessed so easily is definitely a security flaw.1 -
I have a question, some guy did .token @Pixums and a token popped up! Is that real or not because it seemed like he tokened me. I changed my token ofc but i'm still scared
0 -
pix that's just a randomly generated string that matches the token regex.
0 -
Yeah he basically took the 1st half of my token and acted like he was hard LOL, we all got into a group chat and me and my friend clowned everyone. They were saying they were going to swat me or something. Couldn't do anything lolol
0 -
So in your world, Man-In-The-Middle attacks clearly don't exist.
You can go on about how it would be hard to do, but not really if you have a close connection to the person, or access to their phone/pc. You can install a root certificate, issue a certificate for Discord, and siphon everything sent to and from Discord. This includes tokens, as well as passwords, (possibly) phone numbers, and more.
I've done this to myself on pc, and mobile, so it is definitely possible. There is not a reliable way to prevent this. Certificate checks fail as soon as you're behind a network with a firewall that replaces all certificates, which is a MITM attack, but is perfectly valid. There really isn't anything you can do about this.
3 -
Also, yes, ip checking would work in some situations. But if something gets your token, what's stopping it from using that token to change your password on the fly? An antivirus? Clearly not if it got the token in the first place.
2 -
I'm too simple minded to understand anything you said
-1 -
How do you find a discord token on pc? I'm slow, lol, and I can't find it.
1 -
inspect element, listen over the network
2 -
Not sure why you would need it tho :/
0 -
i’m still token logged and i hate it
Войдите в службу, чтобы оставить комментарий.
Комментариев: 35